ICO Enforcement Round-up - Summer 2016
Published 1 September 2016
Below are the top 5 actions for organisations to take derived from ICO enforcement action taken in June. Four of these tips predictably relate to marketing activities; half of all ICO enforcement actions in June arose from nuisance and non-compliant marketing campaigns:
- Check the TPS before undertaking telephone marketing activities
The Central Compensation Office Limited was issued with an enforcement notice to stop its illegal marketing practices after the company cold-call marketed to individuals registered with the Telephone Preference Service.
See the enforcement notice here.
- Undertake due diligence on vendors undertaking marketing activities for you
- A fine of £80,000 was levied against Quigley & Carter Limited for spam text marketing despite Quigley arguing that it had contracted with a third party company to send the texts on its behalf.
- Quigley were found to have breached regulation 22 of the Privacy and Electronic Communications Regulations ("PECR"), which prohibits sending unsolicited direct marketing text messages to individuals without their prior consent.
- The ICO said Quigley should have been on notice of the risk of breach since one of its marketing vendors, Help Direct UK Ltd, had recently been the subject of ICO enforcement.
For details of the fine please click here.
- Organisations wishing to purchase marketing lists should conduct an equally thorough check of how that data was obtained
- Quigley couldn't provide evidence to the ICO that consent had been obtained for the messages, proving that it is important for organisations to rely on more than just assurances from the seller about consent; organisations should always request hard evidence.
- Organisations should also be aware that consent sourced by a third party needs to meet a particularly high threshold; including that it should reference the ultimate sender to be valid – please see our briefing on the ICO's updated direct marketing guidance for further guidance.
- Provide the required information and opt out mechanisms when undertaking marketing
Advanced Voip Solutions Ltd (AVSL) were fined £180,000 for unsolicited automated marketing calls. These calls did not identify the caller; recipients were charged above the standard call rate to opt-out of the marketing calls; the opt-out telephone number connected to another automated message and some recipients were not removed from the marketing list even though they had requested it.
- Call line identification was made mandatory under the PECR on 16 May 2016. This means that it is illegal for marketers to anonymise their call line numbers when dialing out to a recipient.
- By charging for the opt-out call and failing to identify the caller, AVSL breached PECR regulation 24 which requires these details be available.
To see the details of the fine against AVSL please click here.
- Respond to subject access requests on time
An ICO enforcement notice for failure to respond to a subject access request was issued against Debbie Urch (trading as Kings Ransom) on 6 June.
Individuals have a right under the Data Protection Act to request information being held about them by an organisation. Such requests are termed 'subject access requests or SARs' and must be responded to by the organisation within 40 calendar days. Failure to respond appropriately or at all can result in an ICO enforcement notice; these notices oblige an organisation to take whatever steps the ICO require. Failure to comply is criminal offence.
Enforcement notices are historically rare for SAR failures; however, Urch's case represents the 5th SAR enforcement notice reported in 2016 so far – we think this shows signs of an emerging trend that the ICO is showing less tolerance for organisations found in breach of their SAR obligations.
To see details of the enforcement notice, please click here.
To view any of the enforcement actions discussed above (and for any other enforcement actions taken by this ICO in June), please click here.
Below are the top actions and trends taken from the ICO's enforcement activity in July.
- Sugging 'will not wash'
This ICO has shown that direct marketing by any other name is still direct marketing after a Bolton based company, Change and Save Ltd, was found to be promoting funeral and will writing services under the guise of market research. The ICO issued an enforcement notice to Change and Save despite the company arguing that it was merely conducting a survey.
Whilst surveys are not necessarily caught by the direct marketing rules, if they promote goods or services (or the results are to be used for direct marketing purposes) – a practice known as "sugging'' – the contact will fall into the category of direct marketing since direct marketing is defined under the DPA as any form of communication which advertises or markets and is directed toward particular individuals.
In contacting members registered with the TPS, the actions breached regulation 21 PECR which prohibits marketing communications to people who have advised previously that they do not wish to be contacted. The ICO commented that "Passing off nuisance calls as legitimate market research “will not wash”.
- SAR enforcement actions continue to rise
We reported last month on the increasing incidences of enforcement action taken for subject access request ("SAR") failures and delays. This trend doesn't appear to have subsided.
Consumer Finance Claims Ltd received an ICO enforcement notice for failure to respond to a SAR in July. The failure breached s.7 of the DPA which entitles individuals to be told, when requested, whether their personal data is being processed by an organisation. The information should usually be delivered to the recipient within 40 calendar days but Consumer Finance Claims did not respond to the SAR made in June of last year.
To view the ICO enforcement notice, please click here.
- Emails still a high data protection a risk
Misdirected emails remain one of the top causes of enforcement action against organisations.
Northern Health & Social Care Trust signed an ICO undertaking in July committing the Trust to better data protection safeguards and training after 11 emails intended for one of the Trust's doctors were found to have been delivered to a member of the public of the same name over a 2 year period.
To view the ICO's undertaking against Northern Health & Social Care Trust, please click here.